Ensure AWS IAM password policy does not allow password reuse

pwd_policy_reuse

Severity

high

Vendor

AWS

Resource

IAM (AWS Identity and Access Management)

Description

Ensuring that the AWS IAM password policy does not allow password reuse is a best practice that promotes good security hygiene, reduces the risk of unauthorized access, and aligns with various compliance requirements. It is an essential step in maintaining the security and integrity of your AWS environment and protecting your sensitive data and resources.

You can set the number of previous passwords that users are prevented from reusing.

Examples

Buildtime

Terraform

resource "aws_iam_account_password_policy"{
  minimum_password_length        = 15
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true    (1)
}

1	There is no password_reuse_prevention value set.

Mitigation / Fix

Buildtime

Terraform

resource "aws_iam_account_password_policy"{
  minimum_password_length        = 15
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = true
  allow_users_to_change_password = true
  password_reuse_prevention      = 24 (1)
}

1	Ensure password_reuse_prevention is set to a high value like 24.